MFH: r461026

www/waterfox: apply more FF57 fixes Approved by: ports-secteam blanket
author: Jan Beich <jbeich@FreeBSD.org> 2018-02-05 23:49:18 +0000
committer: Jan Beich <jbeich@FreeBSD.org> 2018-02-05 23:49:18 +0000
commit: a78e81243d1f0c914f0da656627f08dab9141a0c (patch)
tree: ed7f11634717d733f1ddb0bd679972c8790e54e5 /www/waterfox/files/patch-bug1405878
parent: 724999648fb394b7b970b5a3a43427c9672206ba (diff)
download: ports-a78e81243d1f0c914f0da656627f08dab9141a0c.tar.gz
ports-a78e81243d1f0c914f0da656627f08dab9141a0c.zip
1 files changed, 120 insertions, 0 deletions
diff --git a/www/waterfox/files/patch-bug1405878 b/www/waterfox/files/patch-bug1405878
new file mode 100644
index 000000000000..fa3d058e234c
--- /dev/null
+++ b/www/waterfox/files/patch-bug1405878
@@ -0,0 +1,120 @@
+commit 87f3d592d92f
+Author: Boris Zbarsky <bzbarsky@mit.edu>
+Date:   Mon Oct 9 14:49:19 2017 -0400
+
+    Bug 1405878 - Make sure to notify for our kids, if needed, before calling DoneAddingChildren in the XML content sink. r=hsivonen, a=sledru
+    
+    Once we call DoneAddingChildren, random code of various sorts will run, which
+    can flush our notification state.  If that happens before we've notified on our
+    kids, but after we've popped the element we're closing off the element stack,
+    we will fail to ever notify on the kids.
+    
+    MozReview-Commit-ID: Ei7v5OobX8R
+    
+    --HG--
+    extra : source : f144e1434312485cf9ee16a36d6159dbcb13a07d
+---
+ dom/xml/crashtests/1405878.xml         | 11 +++++++++++
+ dom/xml/crashtests/crashtests.list     |  1 +
+ dom/xml/nsXMLContentSink.cpp           | 18 +++++++++++-------
+ layout/reftests/bugs/1405878-1-ref.xml |  7 +++++++
+ layout/reftests/bugs/1405878-1.xml     |  6 ++++++
+ layout/reftests/bugs/reftest.list      |  1 +
+ 6 files changed, 37 insertions(+), 7 deletions(-)
+
+diff --git dom/xml/crashtests/1405878.xml dom/xml/crashtests/1405878.xml
+new file mode 100644
+index 000000000000..12677ade938d
+--- /dev/null
++++ dom/xml/crashtests/1405878.xml
+@@ -0,0 +1,11 @@
++<html xmlns="http://www.w3.org/1999/xhtml">
++  <body>
++    <select>
++      <script>document.documentElement.offsetHeight</script>
++    <option>Hello there</option>
++    </select>
++    <script>
++      document.querySelector("body").style.display = "inline";
++    </script>
++  </body>
++</html>
+diff --git dom/xml/crashtests/crashtests.list dom/xml/crashtests/crashtests.list
+index f18767d582c2..2c06ffc545ec 100644
+--- dom/xml/crashtests/crashtests.list
++++ dom/xml/crashtests/crashtests.list
+@@ -10,3 +10,4 @@ load 453278.html
+ load 803586.xhtml
+ load 994740-1.xhtml
+ load 1038887.xhtml
++load 1405878.xml
+diff --git dom/xml/nsXMLContentSink.cpp dom/xml/nsXMLContentSink.cpp
+index 2593519aa44b..b04977d62cf1 100644
+--- dom/xml/nsXMLContentSink.cpp
++++ dom/xml/nsXMLContentSink.cpp
+@@ -1071,6 +1071,17 @@ nsXMLContentSink::HandleEndElement(const char16_t *aName,
+                isTemplateElement, "Wrong element being closed");
+ #endif
+ 
++  // Make sure to notify on our kids before we call out to any other code that
++  // might reenter us and call FlushTags, in a state in which we've already
++  // popped "content" from the stack but haven't notified on its kids yet.
++  int32_t stackLen = mContentStack.Length();
++  if (mNotifyLevel >= stackLen) {
++    if (numFlushed < content->GetChildCount()) {
++      NotifyAppend(content, numFlushed);
++    }
++    mNotifyLevel = stackLen - 1;
++  }
++
+   result = CloseElement(content);
+ 
+   if (mCurrentHead == content) {
+@@ -1086,13 +1097,6 @@ nsXMLContentSink::HandleEndElement(const char16_t *aName,
+     MaybeStartLayout(false);
+   }
+ 
+-  int32_t stackLen = mContentStack.Length();
+-  if (mNotifyLevel >= stackLen) {
+-    if (numFlushed < content->GetChildCount()) {
+-      NotifyAppend(content, numFlushed);
+-    }
+-    mNotifyLevel = stackLen - 1;
+-  }
+   DidAddContent();
+ 
+   if (content->IsSVGElement(nsGkAtoms::svg)) {
+diff --git layout/reftests/bugs/1405878-1-ref.xml layout/reftests/bugs/1405878-1-ref.xml
+new file mode 100644
+index 000000000000..6d1dd199b41e
+--- /dev/null
++++ layout/reftests/bugs/1405878-1-ref.xml
+@@ -0,0 +1,7 @@
++<html xmlns="http://www.w3.org/1999/xhtml">
++  <select>
++    <script>document.documentElement.offsetHeight</script>
++    <option>Hello there</option>
++    <script>document.documentElement.offsetHeight</script>
++  </select>
++</html>
+diff --git layout/reftests/bugs/1405878-1.xml layout/reftests/bugs/1405878-1.xml
+new file mode 100644
+index 000000000000..3915711b1103
+--- /dev/null
++++ layout/reftests/bugs/1405878-1.xml
+@@ -0,0 +1,6 @@
++<html xmlns="http://www.w3.org/1999/xhtml">
++  <select>
++    <script>document.documentElement.offsetHeight</script>
++    <option>Hello there</option>
++  </select>
++</html>
+diff --git layout/reftests/bugs/reftest.list layout/reftests/bugs/reftest.list
+index 52f8cb915cee..47c04cdf41d6 100644
+--- layout/reftests/bugs/reftest.list
++++ layout/reftests/bugs/reftest.list
+@@ -2037,3 +2037,4 @@ needs-focus != 1377447-1.html 1377447-2.html
+ == 1380224-1.html 1380224-1-ref.html
+ == 1384065.html 1384065-ref.html
+ == 1384275-1.html 1384275-1-ref.html
++== 1405878-1.xml 1405878-1-ref.xml
author	Jan Beich <jbeich@FreeBSD.org>	2018-02-05 23:49:18 +0000
committer	Jan Beich <jbeich@FreeBSD.org>	2018-02-05 23:49:18 +0000
commit	a78e81243d1f0c914f0da656627f08dab9141a0c (patch)
tree	ed7f11634717d733f1ddb0bd679972c8790e54e5 /www/waterfox/files/patch-bug1405878
parent	724999648fb394b7b970b5a3a43427c9672206ba (diff)
download	ports-a78e81243d1f0c914f0da656627f08dab9141a0c.tar.gz ports-a78e81243d1f0c914f0da656627f08dab9141a0c.zip